docs: add oracle and dispute threat-model and security-architecture document#597
Merged
greatest0fallt1me merged 2 commits intoJun 19, 2026
Merged
Conversation
- Update Gap Analysis doc-comment in queries.rs (supersedes 2026-04-23): mark every getter as Implemented / Stubbed / Planned with exact call path - Update API_DOCUMENTATION.md 'Query Functions' section: replace flat bullet list with status tables covering all QueryManager functions plus out-of-manager getters (bet limits, config, dispute timeout, permissions_for_role) - Flag stubbed metric fields in query_user_balance, query_market_pool, and query_contract_state and cross-link to issue Predictify-org#595 - Add grep-based verification method so status can be re-checked at any time Closes Predictify-org#595
…ocument - Add docs/security/THREAT_MODEL.md enumerating oracle and dispute threats with mitigations, each citing the implementing module/function and Error variant from err.rs - Oracle defenses: whitelist (OracleWhitelist), multi-source consensus (OracleIntegrationManager, DEFAULT_CONSENSUS_THRESHOLD=66), staleness (validate_oracle_data, DEFAULT_MAX_STALENESS_SECS=60, EventOracleValidationConfig), confidence bounds (DEFAULT_MAX_CONFIDENCE_BPS=500), replay prevention - Dispute defenses: minimum stake (MIN_DISPUTE_STAKE=10_000_000), voting window (DISPUTE_EXTENSION_HOURS=24), stake-weighted tally (calculate_stake_weighted_outcome), exact-tie -> oracle-stands rule, double-dispute prevention (AlreadyDisputed=404) - Known gaps: no cross-market dispute rate-limiting (tracked Predictify-org#594), confidence checks only for providers that supply confidence field, fixed voting window - Update docs/README.md to link THREAT_MODEL.md from security section - Cross-references ATTACK-VECTORS.md and SECURITY_CONSIDERATIONS.md without duplicating content Closes Predictify-org#594
Contributor
|
really like this threat model, tying each mitigation back to the actual module/function makes it useful instead of hand-wavy. fyi the red check is the pre-existing test-compile issue in the repo, nothing to do with this docs change, so i'm merging. (closing #596 since this PR already contains it.) |
5 tasks
Closed
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
docs/security/THREAT_MODEL.md— a single, code-grounded threat model tying the oracle-resolution and dispute subsystems' defences to their implementations.Closes #594
Changes
docs/security/THREAT_MODEL.md(new) — enumerates oracle and dispute threats with mitigations, each citing the implementing module/function andErrorvariant fromerr.rs:DEFAULT_CONSENSUS_THRESHOLD = 66), stale-price exploitation (validate_oracle_data,DEFAULT_MAX_STALENESS_SECS = 60,EventOracleValidationConfig), low-confidence manipulation (DEFAULT_MAX_CONFIDENCE_BPS = 500), unavailability/DoSMIN_DISPUTE_STAKE = 10_000_000), Sybil (calculate_stake_weighted_outcome), tie manipulation (exact-tie → oracle stands), double-dispute/double-vote, window expiryErrorvariantsdocs/README.md— adds link toTHREAT_MODEL.mdin the security sectionAcceptance criteria checklist
THREAT_MODEL.mdenumerates oracle and dispute threats with mitigationsErrorvariantdocs/README.mdATTACK-VECTORS.mdandSECURITY_CONSIDERATIONS.mdcontracts/predictify-hybrid/src